3

我们正在尝试使用 ACS 示例 4(来自http://claimsid.codeplex.com/)作为我们 ADFS 项目的模板。我们对 ADFS 身份验证服务的被动请求没有问题。在示例中,联合提供程序是自定义 STS,并且示例工作正常。

现在我们希望用我们自己的 ADFS 替换自定义联合提供程序(示例中的 Adatum FP)。

我们现在的设置如下(隐藏命名空间)

  • ServiceClient:控制台应用程序,调用Services
  • 服务:WCF Webservice,返回字符串的单一方法。这是默认设置 [Ordertracking.Services in sample]
  • Services.Authentication:我们的自定义身份提供者。这是默认设置 [示例中的 Litware.SimulatedIssuer]
  • ADFS:我们的联合提供者 [示例中的 FederationProvider.Adatum]

ServiceClient 想要调用服务,并且从配置中它知道它必须从 IP (Services.Authentication) 获取令牌。然后将令牌传递给 ADFS,ADFS 将验证令牌并将新令牌发送回 ServiceClient。客户端 new 将 FP 令牌传递给服务,服务(作为 ADFS 上的依赖方)针对 ADFS 验证令牌,并执行服务方法。

问题:

用 ADFS 替换示例中的 STS,似乎破坏了集成。我们似乎从 IP 正确地获取了令牌,但是在将 IP 令牌传递给 ADFS 时遇到了问题。似乎我们的 Audience Uri 有问题,但我们添加了

https://'adfs fqdn'/adfs/services/Trust/13/IssuedTokenMixedSymmetricBasic256

客户端异常 我们在客户端中收到带有此 InnerException InnerException {"ID3242: The security token could not be authenticated or authorized."} 的 MessageSecurityException。

[System.ServiceModel.FaultException]: {"ID3242: The security token could not be authenticated or authorized."}
Data: {System.Collections.ListDictionaryInternal}
HelpLink: null
InnerException: null
Message: "ID3242: The security token could not be authenticated or authorized."
Source: null
StackTrace: null
TargetSite: null

ADFS 调试日志

<TraceRecord xmlns="http://schemas.microsoft.com/2009/10/IdentityModel/TraceRecord" Severity="Error">
    <Description>Handled exception.</Description>
    <AppDomain>Microsoft.IdentityServer.ServiceHost.exe</AppDomain>
    <Exception>
        <ExceptionType>Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35</ExceptionType>
        <Message>ID1038: The AudienceRestrictionCondition was not valid because the specified Audience is not present in AudienceUris. Audience: 'https://<adfs fqdn>/adfs/services/Trust/13/IssuedTokenMixedSymmetricBasic256'</Message>
        <StackTrace>
  at Microsoft.IdentityModel.Tokens.SamlSecurityTokenRequirement.ValidateAudienceRestriction(IList`1 allowedAudienceUris, IList`1 tokenAudiences) at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ValidateConditions(Saml2Conditions conditions, Boolean enforceAudienceRestriction) at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ValidateToken(SecurityToken token) at Microsoft.IdentityServer.Service.Tokens.MSISSaml2TokenHandler.ValidateToken(SecurityToken token) at Microsoft.IdentityModel.Tokens.WrappedSaml2SecurityTokenAuthenticator.ValidateTokenCore(SecurityToken token) at System.IdentityModel.Selectors.SecurityTokenAuthenticator.ValidateToken(SecurityToken token) at Microsoft.IdentityModel.Tokens.WrappedSamlSecurityTokenAuthenticator.ValidateTokenCore(SecurityToken token) at System.IdentityModel.Selectors.SecurityTokenAuthenticator.ValidateToken(SecurityToken token) at System.ServiceModel.Security.ReceiveSecurityHeader.ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver, IList`1 allowedTokenAuthenticators, SecurityTokenAuthenticator&amp;amp; usedTokenAuthenticator) at
  ....
        </StackTrace>
    </Exception>
</TraceRecord>

我们已将观众 uri 添加到我们的 IP Web.config:

<audienceUris mode="Always">
    <add value="https://<adfs fqdn>/adfs/services/Trust/13/IssuedTokenMixedSymmetricBasic256" />
</audienceUris>

如有必要,我们可以发布其他配置文件和 ADFS 配置的屏幕截图。

4

2 回答 2

5

这需要一些工作,但我们最终解决了这个问题。我们没有配置这个,而是在代码中建立了连接。我想我们可能在客户端配置的某个地方有错误。

对任何尝试此操作的人的一些建议 - 首先在代码中建立连接。XML 配置有点难以使用。

我们在 leastprivilege.com 上找到了一些示例代码

private static SecurityToken GetIdPToken()
    {

        var factory = new WSTrustChannelFactory(
            new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential),
            "https://systemidp.dk/Issuer.svc");
        factory.TrustVersion = TrustVersion.WSTrust13;

        factory.Credentials.UserName.UserName = "LITWARE\\rick";
        factory.Credentials.UserName.Password = "thisPasswordIsNotChecked";

        var rst = new RequestSecurityToken
        {
            RequestType = WSTrust13Constants.RequestTypes.Issue,
            AppliesTo = new EndpointAddress("https://adfsfqdn/adfs/services/trust"),
            KeyType = WSTrust13Constants.KeyTypes.Symmetric,
            ReplyTo = "https://adfsfqdn/adfs/services/trust/13/issuedtokenmixedsymmetricbasic256/"
        };
        factory.ConfigureChannelFactory();
        var channel = factory.CreateChannel();
        return channel.Issue(rst);
    }

    private static SecurityToken GetRSTSToken(SecurityToken idpToken)
    {
        var binding = new IssuedTokenWSTrustBinding();
        binding.SecurityMode = SecurityMode.TransportWithMessageCredential;

        var factory = new WSTrustChannelFactory(
            binding,
            "https://adfsfqdn/adfs/services/trust/13/issuedtokenmixedsymmetricbasic256/");
        factory.TrustVersion = TrustVersion.WSTrust13;
        factory.Credentials.SupportInteractive = false;

        var rst = new RequestSecurityToken
        {
            RequestType = WSTrust13Constants.RequestTypes.Issue,
            AppliesTo = new EndpointAddress("https://services.dk/WebService.svc"),
            KeyType = WSTrust13Constants.KeyTypes.Symmetric
        };

        factory.ConfigureChannelFactory();
        var channel = factory.CreateChannelWithIssuedToken(idpToken);
        return channel.Issue(rst);
    }

使用令牌创建 WCF 调用

var ipdtoken = GetIdPToken();
var stsToken = GetRSTSToken(ipdtoken);
var binding = new WS2007FederationHttpBinding(WSFederationHttpSecurityMode.TransportWithMessageCredential);
binding.Security.Message.EstablishSecurityContext = false;
var factory = new ChannelFactory<IWebService>(binding, "https://services.dk/WebService.svc");

factory.ConfigureChannelFactory();
factory.Credentials.SupportInteractive = false;

var serviceChannel = factory.CreateChannelWithIssuedToken(stsToken);

var s = serviceChannel.GetUserInformation();
于 2011-10-25T08:46:31.490 回答
0

您 IP 上的 AudienceUri 配置看起来不错。我认为 ADFS 是引发 ID3242 故障的原因。您能否检查以确保您的 IP 在您的 ADFS 服务器上的 Claim Provider Trusts 下正确配置?

如果您手头有 IP 的联合元数据,您也可以尝试在 ADFS 中重新创建它。

于 2011-10-24T00:34:00.593 回答